Matt Jacobson, M&A partner, co-head telecom at Ropes & Gray, and Doreen Edelman, partner and chairwoman, global trade at Lowenstein Sandler. (Courtesy Photo) Matt Jacobson, M&A partner, co-head telecom at Ropes & Gray, and Doreen Edelman, partner and chairwoman, global trade at Lowenstein Sandler. (Courtesy Photo)

The new U.S. Treasury Department regulations governing reviews by the Committee on Foreign Investment in the United States took effect earlier this month and so-called financial technology, or "fintech," companies and their venture capital and private equity investors are among the industries most affected, foreign trade and national security lawyers said.

In-house lawyers for these companies, which broadly defined include payment systems, mobile banking and insurance-focused technologies, cryptocurrency and exchange platforms and other innovative disrupters of the financial services industry, as well as asset managers, will have to pay close attention to the changes. 

Some of the new regulations that took effect on Feb. 13 under the Foreign Investment Risk Review Modernization Act of 2018 were drafted specifically to address the issue of minority stakes in U.S. tech startup companies deemed important to U.S. military or national security interests. 

"This is such an expanded group of companies because the way CFIUS looks at this now is like this is an episode of 'Homeland,'" the television series, said Doreen Edelman, founder and chairwoman of Lowenstein Sandler's global trade and policy practice in Washington, D.C.

In transactions, "you really have to open up both sides, know beneficial ownership on both sides of the deal and what they are going to do with the technology in the future. It has to be forward-thinking," Edelman said. 

 "Something else GCs ought to know is that the risk may be bigger for the buyer than the seller. It depends on how the agreement is written and what the investment is," she said. "Also, there is no de minimis on this. If it is a $3 million investment, you still have to consider CFIUS." 

Ama Adams/courtesy photo Ama Adams/courtesy photo

Ama Adams, a Ropes & Gray international trade partner, said: "Given the global ecosystem, if you have a fintech startup looking to bring on foreign investment, it is important that the general counsel not just look at it from a control stake but also noncontrol, minority stakes. What are the foreign investors asking for? Is it critical tech? Identifiable data? Look into it." 

Matthew Jacobson, a partner in Ropes & Gray's mergers & acquisitions and co-head of its telecom, media and technology practice based in San Francisco who once was corporate counsel for Hewlett-Packard Co., said, "CFIUS being tailored toward broader policy goals, anything with [data] processing and critical computing could drift in that direction" under the right set of facts.

There are three key areas that in-house counsel should consider, the CFIUS lawyers said. The first is CFIUS' newly expanded jurisdiction over critical and emerging technologies and technology companies; the second is critical infrastructure; and the third is sensitive personal data. In the fintech context, these could include:

1. Companies that are engaged in developing artificial intelligence and other critical technologies, including emerging and foundational technologies. That could be biometrics and encryption in financial applications. "Many financial services businesses are developing their own types of tech that include AI and advanced computing and they could fall under 'emerging and foundational technologies' subject to mandatory reporting requirements," Adams said. Edelman said, "In order to do the CFIUS analysis, you have to know if you have critical technology. The pilot program has gone away, but it is still very helpful because it tells us the focus industries where the government feels there is risk and what they care about."

2. Companies that provide, serve or maintain our electronic banking and money transfer infrastructure, as well as telecommunications infrastructure in general.

3. Companies that maintain personally identifiable information on 1 million or more Americans, especially data about their financial distress or indebtedness, including certain types of banking and financial information. In other words, "could an employee of the investor get access to sensitive data and use it for a nefarious purpose?" Edelman said.

Buyers or investors who are not from the United Kingdom, Canada or Australia may require closer vetting in dealmaking. Those three countries were essentially "whitelisted" from the new CFIUS regulations in many instances, at least for now, but the regulation allows for countries to be added or deleted from the list based on their own foreign investment rules.

Under the new regulations it is important also to consider where fintech companies are truly domiciled, Jacobson said, because a company with a headquarters in name only also could come under scrutiny by the interagency CFIUS panel. He said, "When people are looking for money they may not care that much where it comes from, but fundraising is something that they need to be paying attention to."

Edelman also emphasized the importance of thorough vetting. "You have to pierce the veil of these companies. You have to know the beneficial owners," she said.  

Surprises can pop up in many types of transactions. If the company is interested in taking on additional foreign investment or debt or they want to sell the business, it needs to think about how these foreign investment rules could affect their strategic business or exit plan, she said.

"We have seen situations where a tech company [with critical technologies] is of interest to a U.S. buyer and they find out there is foreign ownership already in the company and it poses a problem for the potential buyer because there is CFIUS concern," Edelman said. "The concern is that because of the national security implication, the regulations are written so broadly that if the U.S. government decided there was a national security risk, they could unwind or require some form of divestiture of foreign ownership."

Edelman said, "The sooner you know the better," adding that CFIUS is even relevant in bankruptcy or auction situations. 

The CFIUS lawyers agreed that companies and their general counsel are going to have to be more foresighted in cross-border fintech transactions given the new regulations, and especially with respect to decisions about voluntary filings, which are still a "balancing act," according to Edelman. 

Edelman said that if she were a general counsel, "I would want to have it reviewed initially and get something in writing that I had someone review it and tell me what my risks are if I don't file, or why I don't need to file [for a CFIUS review] in case the government comes knocking on the door later."

Adams said, "This new landscape for CFIUS regulations is a prime example of how the definition of national security continues to evolve with respect to foreign investment."

Read More:

Final CFIUS Rules for Real Estate Transactions: 5 Things to Know

Treasury Dept. Enacts Final Rules on Foreign Investment: Key Takeaways for In-House Counsel

In-House Compliance Counsel Leading Push for More Guidance From Regulators